Every day, countless transactions occur between computers in every type of industry from commercial and government to nonprofit and consumer. We are confident these transactions are “secure,” and most folks don’t realize security is achieved through encryption. Seamlessness can be a strength, but it also speaks to its limitations and misunderstandings.
Leading up into one of the busiest shopping seasons of the year, it is a good time to level-set on some encryption basics. Rather than reminisce over its use by the Romans or speculate about supercomputer crypto to come, I thought to briefly discuss the different types and why they are used.
Encryption exists to protect information from unauthorized access. It protects our usernames and passwords, financial and banking information, emails and text messages, phone calls, web activity and health records. Encryption protects businesses from things like fraud, insider trading and espionage. There are several different forms of encryption, and each type is built to solve a specific problem and balance what information security professionals refer to as the security rather than the usability tradeoff.
- Transport encryption: Often referred to as SSL/TLS, transport encryption is that little lock in the corner of your web browser. It’s a cue that traffic flowing between your web browser and the remote website has been secured. Over the last couple of years, mega Internet companies have forced everyone to increase the use of this type of protection. While transport encryption is somewhat easy to implement, it is also fairly easy for network operators and well-funded attackers to intercept and decrypt. Is it still safe to bank online? Sure, as safe as it ever was.
- Device encryption: As straightforward as it sounds, device encryption involves crypto tied to whatever storage device you’re using. I will include “whole disk” and “volume” encryption in this category as well. Typically implemented as a simple checkbox on a mobile device, a configuration option on a hard disk or implemented through application software. Device encryption protects information stored in the event that your device is lost or stolen. A password or passcode is required to decrypt the storage volume in order to access its applications and information. Once a device is running or the volume is unlocked, information is vulnerable to attack.I still recommend turning on device encryption, as physical theft is a real risk. However, don’t be fooled; this feature won’t protect you from remote hackers and malware.
- Database encryption: A typical database contains tables which are divided into columns and rows. Database encryption can be applied to the entire database or only specific columns (think Social Security number, credit card number, driver’s license, etc.), providing good protection and performance for data used by applications. Limitations include protection from malicious administrators and compromised admin credentials.
- File encryption: This type of security method focuses on the data itself, regardless of the format. This type of data-centric encryption protects files persistently, regardless of the types of storage devices or transports involved. If you’ve ever password protected an Office document, you’ve worked with this type of encryption. There are many file encryption solutions out there ‒ each offering a host of features. I tend to look for solutions that work on several platforms rather than one, as I want to be able to work with my files securely on all of my devices.
While there are many other forms of encryption, these make up the majority of types in use today. But what about that security vs. usability tradeoff I mentioned before? This is where encryption keys come in. There are a couple of different types and several different formats, but I’ll simplify and talk about just two:
- Symmetric Keys: One of the oldest and most secure encryption methods., a key (such as a password) is used to encrypt and decrypt the data. This key must remain secret because anyone that possesses the key can access the data. Generally, the longer and more random a key is, the better. A great site for generating long random symmetric keys is https://grc.com/passwords.
- Asymmetric Keys: There are always two asymmetric keys: a public key and a private key are used to perform encryption and decryption respectively. The private key must never leave the authorized users device and the public key should be freely exchanged and published for all to see. The use of two keys overcome the major weaknesses in symmetric cryptography. Consequently, they are much harder to implement and use when compared to a simple password. If you’ve ever heard someone mention a digital certificate or PGP, they’re talking about asymmetric keys.
When searching for a way to protect your information or assessing how your information is being protected by someone else, it’s important to understand the limitations of the encryption and key management systems in use. I prefer systems that separate keys and data, allow owners to hold the only copy of the keys in use and protect information end-to-end.
About the Author
Matt Little is the vice president of product development at PKWARE. Matt is a technologist at heart with more than a decade of experience in the IT industry. In his role as VP of product development, Matt oversees planning, development and lifecycle management for next-generation PKWARE offerings, including Viivo. Matt also plays a critical role in setting and driving product strategy and go-to-market activities for these products. Prior to his current role, Matt held jobs as MIS/IT director and IT manager for PKWARE. He has also worked for Compuware and Johnson Controls. Matt graduated from Marquette University with a bachelor’s degree in computer science.